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DETAILED ACTION 

1 . This action is response to communication: amendment filed 06/1 3/2007 

2. Claims 1-7 and 14-23 are currently pending in this application. Claims 1 and 14 
are independent claims. Claims 8-13 have been cancelled. 

3. No IDS was received for this application. 



Claim Rejections - 35 USC §112 

4. The following is a quotation of the first paragraph of 35 U.S.C. 1 1 2: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

5. Claims 14-23 are rejected under 35 U.S.C. 1 12, first paragraph, as failing to 
comply with the written description requirement. The claim(s) contains subject matter 
which was not described in the specification in such a way as to reasonably convey to 
one skilled in the relevant art that the inventor(s), at the time the application was filed, 
had possession of the claimed invention. 

As per claims 14 : 23, the independent claim recites "identification information in 
database accessible to the user." However, the specification does not mention that this 
database is accessible to the user. Instead, it recites that the database is accessible to 
the authentication server. 
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6. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

7. Claims 1-7 and 14-23 are rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. 

As per claims 1-7 the independent claim recites "a method for a second 
operation of authentication a user and securing an ..." It is unclear why this would be a 
second operation. It is unclear what the first operation encompasses. 

As per claims 4-7, claim 4 recites "is a function of a previous one (Ki-1). It 
remains unclear what a previous "one" is. Further, it is unclear what is emitted by the 
card (session key or the previous "one"). 

As per claims 5-7, claim 5 recites "used by the IVR applet." There is insufficient 
antecedent basis for this limitation in the claim. 

Further, as per claims 5-7, the claims recite an encryption code is transmitted to 
the authentication server. However, it is unclear what an encryption code is. It later 
seems to appear in claim 6 that the encryption code is an encrypted PIN number, 
encrypted from a session key. The term 'encryption code' is not a term normally used in 
the art to describe an encrypted code. It is therefore unclear what this 'encryption code' 
is referring to. 



Application/Control Number: 10/696,652 Page 4 

Art Unit: 2134 

As per claims 14-23, claim 14 recites "wherein the system authenticates the user 
and the online transactions by the application server which receives the demodulated 
identification sequence from the IVR server...". It is unclear what is going on here, as 
there is no punctuation separating any of the many different clauses. Also, it is unclear 
what actions are being performed by what (such as if they are being performed by the 
system, IVR server, applications server, etc). 

As per claim 16, there is insufficient antecedent basis for the term "the 
authentication server." 

Claim 17 is rejected using the same basis of arguments used to reject claim 4 

above. 

As per claim 17, there is insufficient antecedent basis for the term "the session 
key (Ki)." 

As per claim 17, there is insufficient antecedent basis for the term "the 
authentication server." 

Claim 18 is rejected using the same basis of arguments used to reject claim 5 

above. 

As per claim 1 8, there is insufficient antecedent basis for the term "the session 
key (Ki)." 

As per claim 1 9, there is insufficient antecedent basis for the term "the 
authentication server." 

As per claim 19, there is insufficient antecedent basis for the term "the previous 
one(Ki-1)." 
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As per claim 19, there is insufficient antecedent basis for the term "the user PIN." 

As per claim 20, there is insufficient antecedent basis for the term "the 
authentication server." 

As per claim 20, there is insufficient antecedent basis for the term "decrypted 
PIN and the PIN." 

As per claim 20, there is insufficient antecedent basis for the term "the database." 

8. As there are multiple 112 rejections in all the pending claims, the claims will be 
rejected as best understood by the Examiner in order to expedite a complete 
examination of the instant application. 

Claim Rejections - 35 USC § 103 

9. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1, 14, and 23 are rejected under 35 U.S.C. 103(a) as being unpatentable 

over Landry et al US Patent No. 6,687,350 (hereinafter Landry), in view of Kia et al. US 

Patent No. 6,404,870 (hereinafter Kia). 

As per claim 1 , Landry teaches a method for a second operation of 
authenticating a user and securing an online transaction over a telephone, comprising: 
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providing a card reader connecting a smart card to a telephone (col. 2 lines 25-30); 
transmitting from the smart card at least an identification sequence for the user to an 
IRV server connected to a telephone line in the form of a modulated signal (col. 10 lines 
25-30; col. 5 lines 1-22; col. 6 lines 5-29; Figures 2,3;); demodulating the identification 
sequence at the IVR server (It is inherent that the signal is demodulated, as a 
modulated signal must be demodulated in order for the data to be useful and 
processed; also occurs at the IVR server (col. 5 lines 1-10) ). However, at the time of 
the invention, Landry does not explicitly teach authenticating the user and the 
transaction at an application server receiving the demodulated identification sequence 
from the IVR server over a communication network wherein data processing required 
for generating, transmitting, and authenticating the user occur without data processing 
assistance from the card reader This is taught in Kia though, such as in col. 4 lines 29- 
36. Also, As taught in Landry, authentication and data processing are controlled by an 
application server, and the smart card reader is all being controlled by the server, which 
just relays information and acts as a gateway, as can be seen in col. 3 lines 30-50. As 
can be seen in Kia, the IVR in the gateway receives information and forwards it to the 
authentication server to process. 

At the time of the invention, it would have been obvious to one of ordinary skill in 
the art to combine the references of Kia with Landry. One of ordinary skill in the art 
would have been motivated to perform such an addition to be able to improve 
authentication systems. This is taught by Kia in col. 1 line 60 to col. 2 line 5, wherein it 
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recites "thus, the need remains for improving the scalability and reliability of the 
authorization based telephone system." 

Claim 14 is rejected using the same basis of arguments used to reject claim 1 
above. A card reader connected to a telephone is taught throughout the reference, 
such as in Landry Figure 1a and 1b. It is inherent that a telephone is connected to a 
telephone line. An IVR server connected to the telephone line is taught throughout the 
reference, such as in Figures 1, 2, 3, and col. 5 lines 1-12.. 

As per claim 23, Landry teaches wherein the card reader is further integrated into 
the telephone handset (col. 2 lines 45-68). 

10. Claims 2-3 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Landry and Kia as applied above, and further in view of Chang et al. US Patent No. 
6,715,082 (hereinafter Chang). 

As per claim 2, Landry teaches a credit card number in col. 1 lines 25-29, which 
is a unique number. However, Landry and Brown do not explicitly teach the use of one 
time keys on a smart card. These are well known in the art, as can be seen in Chang 
col. 2 lines10-25. 

At the time of the invention, it would have been obvious to include random one- 
time keys to be stored on smart cards. One of ordinary skill in the art would have been 
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motivated to perform such an addition to increase security. This is taught by Chang in 
col. 2 lines 11-15. 

As per claim 3, the one-time password taught by Chang in col. 2 lines 10-25 is a 
key used in a session. It is taught in Chang that this one time password/key is not 
transmitted to an authentication server, as it is only transmitted to an access server. 

Claim 15 is rejected using the same basis of arguments used to reject claim 2 

above. 

Claim 16 is rejected using the same basis of arguments used to reject claim 3 

above. 

1 1 . Claims 4 and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Landry, Kia, and Chang as applied above, and further in view of Brinkmeyer et al. US 
Patent No. 5,619,573 (hereinafter Brink). 

As per claim 4, as best understood by the Examiner, the Landry combination 
does not explicitly teach wherein the session key is a function of a previous key. 
However, this is taught by Brink, such as in col. 3 lines 60 to col. 4 line 25. This would 
be inherently known by an authentication server, as the authentication server needs to 
know the key in order to verify if it was valid or not. 

At the time of the invention, it would have been obvious to one of ordinary skill in 
the art to include using a previously known key. One of ordinary skill in the art would 
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have been motivated to perform such an addition to create more security. As they are 
one way functions, it would be extremely difficult to determine the previous keys unless 
they were known. By using previous keys, it would increase security, as it would almost 
guarantee that the key was actually known by the user and the authentication server, 
and not a malicious middle man. 

Claim 17 is rejected using the same basis of arguments used to reject claim 14 

above. 

12. Claims 5-7 and 18-20 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Landry, Kia, Chang, and Brink as applied above, and further in view of Bruce 
Schneier' s Applied Cryptography, 2 nd Edition (1997), (hereinafter Schneier). 

As per claims 5-7, as best understood by the Examiner, the claims recite the use 
of encryption keys, decryption, one-way functions and authentication. These are well 
known in the art, as taught throughout Schneier, such as in pages 28-42. Pin codes are 
taught throughout Landry and Kia, and it would be obvious to encrypt PIN's, because 
PIN contains sensitive information, which should never be sent in the clear. Further, it 
is common practice that authentication is valid if PIN's match a PIN stored in a 
database, (that's how PIN's or passwords work). Further, databases holding security 
information is taught throughout Kia, such as in col. 2 lines 14-20 and in col. 3 lines 15- 
24 and col. 4 lines 29-37. 
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At the time of the invention, it would have been obvious to combine the teachings 
of Schneier with the Landry combination. One of ordinary skill in the art would have 
been motivated to perform such an addition to be able to provide a secure system. The 
Landry combination is already directed to secure online transactions, and Schneier 
teaches the details of this. 

Claim 18-20, as best understood by the Examiner, are rejected using the same 
basis of arguments used to reject claims 507 above. 

13. Claims 21-22 are rejected under 35 U.S.C. 103(a) as being obvious over Landry 
and Kia as applied above. 

As per claim 21 , the claim recites wherein the smart card is powered by the 
voltage provided by the telephone line. It is well known in the art that telephones are 
powered by the power flowing from telephone lines. Since the Smart Card reader is 
attached to the telephone, as taught in Landry, it would have been obvious to power a 
smart card that is connected to the phone using the voltage provided by the phone, as 
this would reduce the amount of more power sources and voltage lines. Further, Landry 
teaches that the smart card may be powered by the telephone set, in col. 7 lines 50-54. 
As already discussed, many phones are powered by the telephone lines. 

As per claim 22, it is inherent that a smart card would transmit signals via 
contacts. Although the Landry combination does not explicitly teach ISO contacts, it 
would have been obvious to do so, if not inherent. As Landry already teaches utilizing 
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contacts, it would have been obvious to utilize ISO contacts, as ISO contacts are well 
known in the art and used throughout industry. It would have been obvious incorporate 
ISO contacts for ease of use. 

Conclusion 

14. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

1 5. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jason K. Gee whose telephone number is (571) 272- 
6431. The examiner can normally be reached on M-F, 7:00 am to 4:30 pm. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571 ) 272-381 1 . The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-21 7-91 97 (toll-free). 



Jason Gee 
Patent Examiner 
Technology Center 21 34 
08/03/2007 




